+++ b/core/modules/system/lib/Drupal/system/Controller/ThemeController.phpundefined@@ -117,10 +129,73 @@ public function enable(Request $request) {+ drupal_set_message(t('Please note that the administration theme is still set to the %admin_theme theme; consequently, the theme on this page remains unchanged. All non-administrative sections of the site, however, will show the selected %selected_theme theme by default.', array(...+ drupal_set_message(t('%theme is now the default theme.', array('%theme' => $themes[$theme]->info['name'])));...+ drupal_set_message(t('The %theme theme was not found.', array('%theme' => $theme)), 'error');

t is injectable... we have the string_translation service on the container..

Don't use $request->get(). Use $request->query->get(), so it's clear where it's coming from.

This is a Novice-able reroll.

Once that's in, though, we should refactor this code entirely. Having the same controller do the page display and the update is very wrong. Having configuration change on a GET request is even more wrong, even if there's a token on it.

At the very least we should split this up into two controllers, one that actually makes the change and then redirects back to the other display-only controller. But I'm OK with that being a follow-up. For now, let's just fix the above and get this in.

Attached patch uses CsrfGenerator service. It also removes ContainerInjection since that comes along with ControllerBase. Finally, using configFactory instead of getting the specific config in the constructor.